UNISON’s Breach Reporting Process 


The General Data Protection Regulation (GDPR) 2016 defines a personal data breach as a 
breach of security leading to the accidental or unlawful destruction, loss, alteration, 
unauthorised disclosure of, or access to, personal data. 


UNISON takes data protection very seriously and works hard to ensure that all processing of 
data is compliant with the GDPR and all relevant data protection legislation. 


UNISON deals with data breaches in line with Recital 87 of the GDPR; when a security 
incident takes place we quickly establish whether a personal data breach has occurred and, 
if so, promptly take steps to address it. 


All areas of UNISON (branch/ region/ UNISONdirect/ UNISON Centre) are aware that any 
data breach should be reported to the data protection team as soon as they become aware 
of it. The data protection team can contacted either by phone on 0207 121 5237 or by email 
at dataprotection@unison.co.uk. When emailing the data protection team, our automated 
response advises that a response will be provided within 5 working days. However, we 
ensure that anything of an urgent nature such as data breaches are responded to on the 
same day. 


When reporting a breach, the data protection team ask for the following information in order 
to establish the likelihood and severity of the resulting risk to people’s rights and freedoms: 


e the date the incident occurred 

e the date the incident was identified 

e a description of the breach 

e estimated number of people affected 
e description of personal data involved 
e summary of action taken 


In assessing risk to rights and freedoms, we focus on the potential negative consequences 
for individuals; and assess on a case by case basis. 


If it’s likely that there will be a risk to an individual, UNISON will notify the Information 
Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. We will 
inform those concerned directly without undue delay, provide advice on how to contain the 
breach and what corrective action needs to be put in place to prevent a similar reoccurrence. 


The data protection team records all data breaches, whether it is reported to the ICO or not, 
on an internal register. We offer advice and guidance on how individuals can prevent 
recurrence and also use the information from breach reports to inform data protection 
training priorities nationally, regionally and in branch. 


